Howto: Single Sign On with Squid Proxy and Active Directory
Post by: tom on December 12th, 2007 | File Under Memento, SecurityTags: active directory, authentication, kerberos, single sign on, squid, username
Tested on: openSUSE 10.2, Squid 2.6 <-> Windows Server 2003
Goal: User authentication should be possible without “extra login” on the squid proxy.
Here we go …
- First of all, disable nscd (name service cache daemon)!
- Install winbind, samba client and kerberos tools
In this test enviroment, the Domain is “D1COMP”; the realm “D1COMP.LAN”
- Edit /etc/krb5.conf
[libdefaults]
default_realm = D1COMP.LAN
clockskew = 300
[realms]
D1COMP.LAN = {
kdc = 172.31.7.27 ## One of your Domain Controllers
default_domain = d1comp.lan
admin_server = 172.31.7.27
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.d1comp.lan = D1COMP.LAN
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
}
- obtain Kerberos ticket
# kinit Administrator@D1COMP.LAN
Password for Administrator@D1COMP.LAN:
#
- check Kerberos ticket
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@D1COMP.LAN
--------
Valid starting Expires Service principal
12/12/07 16:16:01 12/13/07 02:16:45 krbtgt/D1COMP.LAN@D1COMP.LAN
renew until 12/13/07 16:16:01
--------
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- Adjust /etc/samba/smb.conf
[global]
workgroup = D1COMP
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = D1COMP.LAN
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
- Join the Active Directory
# net join -S d1comp -UAdministrator%Password
Using short domain name -- D1COMP
Joined 'SERVER' to realm 'D1COMP.LAN'
# /etc/init.d/winbind start
Starting Samba WINBIND daemon ... done
- Basic Check:
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -g
D1COMP\domain guests
D1COMP\domain users
D1COMP\...
- Check support of ntlm authentication:
# wbinfo -a d1comp\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
ntlm_auth requires access to the privileged winbind pipe in order to function properly.
- Enable this by changing group of the winbind_privileged directory to the group you run Squid as (cache_effective_group setting in squid.conf).
chgrp squid /var/lib/samba/winbindd_privileged
- Edit squid.conf to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
##
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
##
## acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
This howto is no guarantee to get it work, but kind of reminder for me : /
Special thanks to Adrian Chadd and the wiki @ squid-cache.org!
June 26th, 2008 at 13:30
Surely you’d rather be using /usr/lib/squid/ntlm_auth rather than /usr/bin/ntlm_auth?
June 26th, 2008 at 23:30
I used openSUSE 10.2 in this test enviroment and installed squid & co. out of the box ( -> I did _not_ install anything from source).
There, I didn’t have ntlm_auth @ /usr/lib/squid/ but at /usr/bin/ …
Thanks for the advise, anyway -> What distribution do you use?
June 27th, 2008 at 15:28
Debian Etch, and thanks for the guide, cleary sorted my problems out!
June 28th, 2008 at 12:07
Well I seem to have both lib/squid/ntlm_auth and usr/bin/ntlm-auth, either should work correctly?
February 20th, 2009 at 13:09
I configure krb5.conf, smb.conf, squiud.conf, join AD, wbinfo -t and -a are OK but is not possible to start squid: error in cache.log: WARNING: basicauthenticator exited
Too few basicauthenticator processes are running
FATAL: The basicauthenticator helpers are crashing too rapidly
when I tried to run /usr/bin/ntlm_auth nothing happens, no OK, no errors (I think this is ntlm_auth from samba)
environment: SAMBA 3.0.10, squid-2.6.STABLE16
February 25th, 2009 at 21:23
Strange.. Which OS?
When I run /usr/bin/ntlm_auth -V i.e. it shows
Version 3.0.23d-..
March 7th, 2009 at 20:22
Nicol – that can happen if it can’t execute the authenticator. Check for the correct path and spelling of the binary and check the permissions.
March 7th, 2009 at 21:57
I’d also like to add that single sign-on does not work with Vista out of the box. You might want to read this page as well:
http://www.mail-archive.com/squid-users@squid-cache.org/msg58454.html
March 20th, 2010 at 19:02
[...] -u. Theset two commands should list all the users & groups in your Active Directory. Install …tom's blog Blog Archive Howto: Single Sign On with Squid …wbinfo -a d1comp\user%password. plaintext password authentication … krb5.conf, smb.conf, [...]
May 30th, 2010 at 17:22
[...] References: http://adam.breidenbaugh.net/tech/Linux-AD-VMWare-Authentication_Howto.htm http://tom.knaupp.com/2007/12/12/howto-single-sign-on-with-squid-proxy-and-active-directory/ [...]